Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Arrests Made In $45M Russian Bank Hack

Russian authorities made 50 arrests related to a five-year campaign to steal $45M from Russia’s largest bank, Sberbank.

Russian law enforcement has made 50 arrests in connection with a five-year operation to steal three billion rubles (just shy of $45 million USD) from the country’s largest bank, Sberbank.

The hackers are alleged to have exploited websites, including popular news sites, to infect victims with the Lurk Trojan, a downloader that grabs more malware from the attackers’ servers.

Lurk is injected into memory, making it difficult to detect and analyze. Further, the attackers used compromised VPN connections to hide their traces.

Researchers at Kaspersky Lab worked with law enforcement and bank officials to support the arrests.

“We realized early on that Lurk was a group of Russian hackers that presented a serious threat to organizations and users. Lurk started attacking banks one-and-a-half years ago; before then its malicious program targeted various enterprise and consumer systems,” said Ruslan Stoyanov, head of computer incidents investigation at Kaspersky Lab. “Our company’s experts analyzed the malicious software and identified the hacker’s network of computers and servers. Armed with that knowledge the Russian Police could identify suspects and gather evidence of the crimes that had been committed. We look forward to helping to bring more cybercriminals to justice.”

The arrests were announced the same day researchers at security company Zscaler disclosed their analysis of a malicious Android application posing as the Sberbank mobile app. The malicious app steals credentials and requests extensive privileges on compromised devices.

The app is worrisome because it can steal SMS messages and monitor incoming calls, two avenues by which banks send one-time passwords and PINs used as a second authentication factor.

“Even if the victim tries to access the original app, the malware will forcefully present its own fake login screen to the victim,” Zscaler said in its report. “Once the user enters their login details, they are sent to Command & Control (C&C) server.”

The malicious app also has overlays for third-party apps the user is likely to have on their phone, including secure messaging app WhatsApp, the Google Play app and the VTB 24 banking app.

“The fake login pages fetched from those URLs have the same representation as the original ones,” Zscaler said. “Once the user enters their credentials, they are sent to C&C server and the same functionality of displaying technical error is implemented.”

The hackers also took a unique approach to maintain persistence.

“[The app] registers a broadcast receiver that triggers whenever the victim tries to remove administrator rights of the malware app, locking the android device for a few seconds. As a result, it is not possible to uninstall this malicious app by revoking admin rights,” Zscaler said. “The only option left with the victim is to reset the device to factory settings. This again will lead to more data loss for the victim.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.